b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n\n      Immigration and Customs Enforcement \n\n               Privacy Stewardship \n\n\n\n\n\nOIG-10-100                              July 2010\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      July 6, 2010\n\n                                          Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses Immigration and Customs Enforcement\xe2\x80\x99s plans and activities to\ninstill a privacy culture that protects sensitive personally identifiable information and\nensure compliance with federal privacy regulations. It is based on interviews with\nemployees and officials of relevant agencies and institutions, direct observations, and a\nreview of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n \n\nBackground ..........................................................................................................................2 \n\nResults of Audit ...................................................................................................................4 \n\n     ICE Has Made Progress in Privacy Stewardship...........................................................4 \n\n     Program Operations Managers Can Improve Privacy Culture ......................................4 \n\n     Recommendations........................................................................................................12 \n\n     Management Comments and OIG Analysis ................................................................12 \n\n\nFigures\n     Figure 1:            ICE\xe2\x80\x99s Purposes for Personally Identifiable Information .........................3 \n\n     Figure 2:            Pillars of Privacy Stewardship ................................................................3 \n\n     Figure 3:            ICE Reported Privacy and Security Incidents.........................................7 \n\n     Figure 4:            Training Recommendations by Survey Respondents..............................9 \n\n     Figure 5:            Privacy Integration in Information-Sharing Access Agreements..........11 \n\n\nAppendixes\n     Appendix A: Purpose, Scope, and Methodology.......................................................14 \n\n     Appendix B: Management Comments to the Draft Report .......................................15 \n\n     Appendix C: Legislation, Memorandums, Directives, and Guidance.......................17 \n\n     Appendix D: The Fair Information Practice Principles ...........................................18 \n\n     Appendix E: Component-Level Privacy Office Designation and Duties .................19 \n\n     Appendix F: Selected Systems: PII Collected, Privacy Impact Assessments, System\n \n\n                 of Records Notices, and Information Sharing......................................20 \n\n     Appendix G: ICE Culture of Privacy Survey ............................................................21 \n\n     Appendix H: Major Contributors to This Report ......................................................22 \n\n     Appendix I: Report Distribution ..............................................................................23 \n\n\nAbbreviations\n     BMIS Web              Bond Management Information System Web Version \n\n     DARTTS                Data Analysis and Research for Trade Transparency System\n\n     DHS                   Department of Homeland Security \n\n     FIPPs                 Fair Information Practice Principles\n\n     FISMA                 Federal Information Security Management Act\n\n     ICE                   Immigration and Customs Enforcement \n\n     NCVIS                 National Child Victim Identification System\n\n     OIG                   Office of Inspector General \n\n     OMB                   Office of Management and Budget \n\n     PII                   personally identifiable information \n\n     PIA                   Privacy Impact Assessment \n\n     SEVIS I               Student and Exchange Visitor Information System \n\n     SORN                  System of Records Notice \n\n\x0cOIG\n \n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n                 We performed an audit of Immigration and Customs\n                 Enforcement\xe2\x80\x99s privacy stewardship. Our audit objectives were to\n                 determine whether Immigration and Customs Enforcement\xe2\x80\x99s plans\n                 and activities instill a culture of privacy and whether it complies\n                 with federal privacy laws and regulations. Appendix A provides\n                 our purpose, scope, and methodology.\n\n                 Immigration and Customs Enforcement has made progress\n                 instilling a culture of privacy. Specifically, it demonstrated an\n                 organizational commitment to privacy compliance by appointing a\n                 privacy officer and establishing the Immigration and Customs\n                 Enforcement Privacy Office. The Privacy Office provides\n                 guidance to program and system managers who collect personally\n                 identifiable information on meeting requirements for notice,\n                 incident reporting, and privacy impact assessments. In addition,\n                 the Privacy Office has established processes for initial and annual\n                 privacy training and for addressing access, complaints, and redress\n                 for individuals.\n\n                 We are making three recommendations to the Assistant Secretary\n                 to strengthen Immigration and Customs Enforcement\xe2\x80\x99s privacy\n                 stewardship. Immigration and Customs Enforcement can improve\n                 its culture of privacy by (1) developing and implementing privacy\n                 procedures and job-related privacy training to safeguard personally\n                 identifiable information in program operations, (2) establishing\n                 penalties for violations that correspond with Department of\n                 Homeland Security privacy rules of conduct, and (3) establishing a\n                 standardized process that includes Immigration and Customs\n                 Enforcement Privacy Office review and approval of information-\n                 sharing access agreements that involve personally identifiable\n                 information.\n\n\n\n\n               Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                        Page 1\n \n\n\x0cBackground\n                               The Privacy Act of 1974, as amended, imposes requirements on\n                               agencies whenever they collect, use, or disseminate personally\n                               identifiable information (PII) in a system of records. PII refers to\n                               any information that permits the identity of an individual to be\n                               directly or indirectly inferred, including any information that is or\n                               can be linked to that individual, whether the individual is a U.S.\n                               citizen, legal permanent resident, or a visitor to the United States.\n                               The Privacy Act grants to U.S. citizens and legal permanent\n                               residents, access and amendment rights with limited judicial\n                               review.\n                               A mixed system is any system of records that collects, maintains,\n                               or disseminates PII about U.S. persons and non-U.S. persons. For\n                               mixed systems, DHS Memorandum 2007-01: DHS Privacy Policy\n                               Regarding Collection, Use, Retention, and Dissemination of\n                               Information on Non-U.S. Persons, requires the Department of\n                               Homeland Security (DHS) to extend a variety of Privacy Act\n                               protections to all persons (including aliens).1\n                               Immigration and Customs Enforcement (ICE) is the largest DHS\n                               investigative agency. ICE is responsible for enforcing immigration\n                               laws and investigating people, money, and materials that support\n                               terrorist and criminal activities. Almost 18,000 employees in more\n                               than 400 offices around the world interact daily with the public or\n                               collect, use, and disseminate PII about the public.\n                               Figure 1 shows purposes for PII collection by three of ICE\xe2\x80\x99s major\n                               operations and for the maintenance of this PII in eight mixed\n                               systems that we reviewed. In 2008, Detention and Removal\n                               Operations, with support from the Office of the Chief Financial\n                               Officer, processed nearly 80,000 bonds and removed almost\n                               246,000 illegal aliens. ICE collects PII from more than 1 million\n                               students, visitors, and sponsors for law enforcement and\n                               immigration control. ICE agents use databases with more than\n                               364,000 PII records on child victimization, money laundering, and\n                               gang activity.\n\n                                                ICE\xe2\x80\x99s Purposes for Personally Identifiable Information\n                                                     IMMIGRATION BONDS FOR DETAINEES\n                                                    Office of the Chief Financial Officer systems\n                                            Bond Management Information System Web Version (BMIS Web)\n                                                          and Electronic Bonds (eBONDS)\n                                 \xc2\x83 Records and maintains financial information on immigration bonds for aliens involved\n                                    in removal proceedings\n                                 \xc2\x83 Verifies alien eligibility for bond release; processes and tracks the life cycle of bonds\n\n\n1\n    DHS Memorandum 2007-01 does not create a right of judicial review for non-U.S. persons.\n\n\n                            Immigration and Customs Enforcement Privacy Stewardship\n\n                                                          Page 2\n\x0c                  ICE\xe2\x80\x99s Purposes for Personally Identifiable Information\n                        STUDENT IMMIGRATION ENFORCEMENT\n                          Office of Investigation Division 2 systems\n            Student & Exchange Visitor Information System (SEVIS I) and SEVIS II\n    \xc2\x83 Maintains information on F, M, and J Visa users, their dependents, and associated\n       schools and sponsors\n                           GLOBAL CRIMINAL INVESTIGATIONS\n                           Office of Investigation Division 6 systems\n      Data Analysis & Research for Trade Transparency System (DARTTS) and DARTTS\n          Enterprise, National Child Victim Identification System (NCVIS), ICEGangs\n    \xc2\x83 Analyzes trade and financial data for money laundering or other import-export crimes\n    \xc2\x83 Combats exploitation of children, child pornography, and child sex tourism\n    \xc2\x83 Maintains information on gang members and associates and gang-related activity\n  Figure 1. ICE\xe2\x80\x99s Purposes for Personally Identifiable Information\n  Source: ICE Privacy Impact Assessments and System of Records Notices.\n\n  DHS components are responsible for complying with federal\n  privacy laws and requirements. Privacy Policy Guidance\n  Memorandum 2008-01 establishes the Fair Information Practice\n  Principles (FIPPs) as the DHS privacy policy framework. The\n  FIPPs are a set of principles that govern the collection, handling,\n  and maintenance of PII. Appendix C lists federal requirements and\n  guidance related to ICE\xe2\x80\x99s privacy stewardship.\n  As illustrated in figure 2, the level of organizational commitment\n  to privacy accountability drives the expectations for privacy\n  stewardship at executive management, program operations\n  management, and employee levels. Effective privacy stewardship\n  includes (1) ongoing privacy risk assessment and mitigation; (2)\n  standardized procedures that implement the FIPPs and other\n  requirements; and (3) established privacy conduct, training, and\n  safeguards in program operations.\n\n\n\n\n  Figure 2. Pillars of Privacy Stewardship\n  Source: Adapted from DHS Privacy Office, DHS Privacy Framework.\n\n  A component\xe2\x80\x99s culture of privacy results from how well its\n  executive management, program operation managers, and\n  employees understand, implement, and enforce its privacy\n  commitment in their respective roles. Promotion of an effective\n  culture of privacy leads to embedded shared attitudes, values,\n  goals, and practices for complying with the requirements for\n  proper handling of PII.\n\n\nImmigration and Customs Enforcement Privacy Stewardship\n\n\n                            Page 3\n\n\x0cResults of Audit\n         ICE Has Made Progress in Privacy Stewardship\n                   ICE demonstrated its commitment to privacy stewardship by designating a\n                   privacy officer and establishing a privacy office. The ICE Privacy Office\n                   provides privacy guidance, training, and assistance in assessing risks to\n                   PII. In addition, ICE has implemented processes for privacy notice,\n                   access, complaints, correction, and redress for individuals.\n\n                            Privacy Office\n\n                            In April 2008, ICE established the ICE Privacy Office by\n                            designating a privacy officer who is responsible for providing\n                            support and guidance for integrating privacy requirements into\n                            program operations. The ICE Privacy Office consists of five staff\n                            members. The ICE Privacy Office reports to the ICE Assistant\n                            Secretary\xe2\x80\x99s Chief of Staff. See appendix E for the duties that\n                            component privacy officers are required to perform. The ICE\n                            Privacy Office performs the following activities:\n\n                            \xe2\x80\xa2\t Serves as point of contact with the DHS Privacy Office.\n                            \xe2\x80\xa2\t Communicates privacy initiatives through its network site,\n                               which links to individual privacy laws, regulations, and\n                               policies, as well as to the DHS Privacy Office\xe2\x80\x99s public website.\n                            \xe2\x80\xa2\t Provides additional guidance on privacy integration at points in\n                               the information technology system life cycle, instructions for\n                               reporting a privacy incident, and privacy tips on its network site.\n                               In a survey that we conducted, almost 75% of respondents who\n                               collect, handle, view, or maintain PII reported that they look for\n                               privacy guidance on the ICE Privacy Office network site.2\n                            \xe2\x80\xa2\t Monitors privacy compliance when responding to privacy\n                               questions and assists managers in drafting privacy compliance\n                               documentation.\n                            \xe2\x80\xa2\t Manages ICE\xe2\x80\x99s privacy incident responsibilities as defined in\n                               the DHS Privacy Office\xe2\x80\x99s Privacy Incident Handling Guidance\n                               and notifies the DHS Privacy Office of PII incidents.\n\n\n\n\n2\n In November 2009, the OIG emailed to the ICE workforce a survey on its culture of privacy. The survey solicited\nopinions on how ICE employees could improve their understanding of privacy. See appendix G for the methodology\nand details of the survey.\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n\n\n                                                     Page 4\n\n\x0c                              Initial and Annual Privacy Training\n\n                              In compliance with Office of Management and Budget (OMB) M-\n                              07-16, Safeguarding Against and Responding to the Breach of\n                              Personally Identifiable Information, the ICE Privacy Office\n                              provides initial privacy training for new employees and annual\n                              refresher privacy training for current employees. As of October\n                              2009, the ICE Privacy Office began participating in all biweekly\n                              new employee orientation briefings to emphasize the importance of\n                              privacy as a core value at DHS. In October 2009, 34% of ICE\xe2\x80\x99s\n                              survey respondents reported that they received privacy training\n                              when they were hired.\n\n                              ICE complies with the annual training requirement by requiring\n                              that employees take the Information Assurance and Awareness\n                              Training, which includes a module on safeguarding PII. The ICE\n                              Office of Training and Development monitors and retains\n                              employee training records, which show that 93% of employees\n                              (16,526 of 17,795) completed the training in FY 2008. In October\n                              2009, the ICE Privacy Office implemented a Culture of Privacy\n                              Awareness course. Topics include penalties for noncompliance\n                              with key privacy laws, obligations to report privacy incidents, and\n                              a test on applying privacy procedures in various scenarios.\n\n                              Privacy Impact Assessments\n\n                              The E-Government Act of 2002 requires agencies to conduct\n                              Privacy Impact Assessments (PIAs) for information systems that\n                              collect, maintain, or disseminate PII.3 DHS Handbook 4300A\n                              requires a risk assessment every 3 years or whenever there are\n                              significant changes to the system. See appendix F for details\n                              regarding the PIAs on the systems that we reviewed.\n\n                              The ICE Privacy Office is making progress in obtaining approvals\n                              of its PIAs. In November 2009, the DHS Office of the Chief\n                              Information Officer reported that 51% (19 of 37) of ICE\xe2\x80\x99s\n                              operational PII systems have approved PIAs.4 In March 2010, ICE\n                              had 66% approved PIAs and in May, the ICE Privacy Office\n                              achieved a 72% completion rate.\n\n\n3\n  A Privacy Impact Assessment is the result of an analysis of how PII is collected, used, disseminated, and maintained, \n\nand represents how ICE has incorporated privacy concerns throughout the development, design, and deployment of a \n\nprogram, system, technology, or rulemaking. \n\n4\n  The DHS Office of the Chief Information Officer developed an application, Trusted Agent FISMA, as an enterprise\n \n\ncompliance management tool that tracks data related to DHS components\xe2\x80\x99 security status and privacy impact \n\nassessments, as well as plans of action and milestones to correct deficiencies. \n\n\n\n                           Immigration and Customs Enforcement Privacy Stewardship\n\n\n                                                        Page 5\n\n\x0c                             According to the DHS Privacy Office Privacy Impact Assessments\n                             Official Guidance, every system that collects PII should have a\n                             retention schedule describing how long the information will be\n                             retained. Retention schedules ensure that components retain PII\n                             for as long as necessary to fulfill the specified purpose of\n                             collection. In compliance with OMB Circular A-130, ICE\n                             program operations managers work with the Records Management\n                             Branch to submit a records retention schedule to the National\n                             Archives and Records Administration for approval and\n                             registration. As of November 2009, 89% (33 of 37) of ICE\xe2\x80\x99s PII\n                             systems are in the approval process.\n\n                             Processes for Privacy Notice, Access, Complaints, Correction,\n                             and Redress for Individuals\n\n                             ICE provides notice to individuals regarding the component\xe2\x80\x99s\n                             collection, use, dissemination, and maintenance of PII in three\n                             specific ways:\n\n                             \xe2\x80\xa2\t ICE provides Privacy Act statements for individuals from\n                                whom PII is collected on forms and websites.\n                             \xe2\x80\xa2\t The ICE Privacy Office\xe2\x80\x99s public website shows its mission\n                                statement, contact information, and privacy notice.\n                             \xe2\x80\xa2\t The ICE Privacy Office provides assistance and guidance to\n                                program operations managers regarding the development and\n                                approval process for Privacy Impact Assessments (PIAs) and\n                                System of Records Notices (SORNs).5 ICE has 30 PIAs and\n                                13 SORNs that are approved by the DHS Privacy Office and\n                                are available on its public website.\n\n                             The ICE Privacy Office has processes to receive privacy\n                             complaints and requests for access, correction, and redress from\n                             individuals. Through its Privacy Office Tracking System, the ICE\n                             Privacy Office tracks and resolves such complaints. Information\n                             on ICE and other component privacy complaints is available on the\n                             DHS Privacy Office public website.\n\n         Program Operations Managers Can Improve Privacy Culture\n                   As stewards, program operations managers are in a unique position to\n                   provide leadership and instill a culture of privacy by promoting the\n                   importance of protecting privacy to their employees. ICE program\n\n5\n The System of Records Notice explains to the public how PII owners can exercise their rights granted through the\nPrivacy Act.\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n\n\n                                                       Page 6\n\n\x0c                   operations managers can improve the overall privacy culture by instilling\n                   an internal discipline of applying privacy safeguards in four key areas:\n\n                   \xe2\x80\xa2   Minimizing privacy incidents by developing operational procedures\n                       that integrate privacy protections into daily work activities;\n                   \xe2\x80\xa2   Providing job-specific privacy training and oversight;\n                   \xe2\x80\xa2   Enforcing DHS privacy rules of conduct; and\n                   \xe2\x80\xa2   Applying privacy policies to PII sharing with external agencies.\n\n                            Program Operations Managers Are Instrumental in\n                            Minimizing Privacy Incidents\n\n                            DHS has privacy rules of conduct that can apply to different jobs\n                            and operations. However, about 45% of ICE\xe2\x80\x99s survey respondents\n                            did not respond or responded incorrectly to questions regarding\n                            proper privacy procedures as set forth in the DHS Privacy Office\n                            Handbook for Safeguarding Sensitive Personally Identifiable\n                            Information.\n\n                            As indicated in figure 3, 72% (114 of 159) of all incidents were\n                            reported under one of two categories: alteration/compromise of\n                            information or misuse.6 Twenty-eight percent (45 of 159) of\n                            incidents related to unauthorized access to ICE resources or other\n                            incidents.\n\n                                                       2-yr            Privacy Incidents      Security Incidents\n                                DHS Categories\n                                                      Period\n                                of ICE Incidents\n                                                    Incidents\n                                                                 2008 2009       % change   2008   2009   % change\n                            Alteration/Compromise\n                                                        86        28       29       4%       19     10     - 47%\n                            of Information\n                            Misuse                      28         2        0     - 100%     19     7      - 63%\n                            Unauthorized Access          5         1        1       0%       2      1      - 50%\n                            Other                       40         0        0       0%       8      32     300%\n                                     Totals            159        31       30       - 3%     48     50      4%\n\n                            Figure 3. ICE Reported Privacy and Security Incidents (2008 and 2009)\n                            Source: DHS Security Operations Center.\n\n\n                            We analyzed each of the 61 privacy incidents reported for 2008\n                            (31) and 2009 (30). Sixty-two percent (38 of 61) of privacy\n                            incidents over the 2-year period involved the use of information\n                            systems. The remaining 38% (23 of 61) resulted from loss or theft\n                            of PII in laptops, mobile media devices, smart phones, hard drives,\n                            and paper files under the responsibility of ICE employees or\n                            contractors. We determined that 97% (59 of 61) of the incidents\n\n6\n The DHS Privacy Office\xe2\x80\x99s Privacy Incident Handling Guidance defines privacy incidents as unauthorized access or\npotential access to PII in usable form, whether physical or electronic.\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                     Page 7\n \n\n\x0c  occurred because employees or contractors did not follow DHS\n  privacy rules of conduct. The remaining 3% (2 of 61) occurred\n  because of improper implementation of system security controls.\n\n  Managers and employees who we interviewed or surveyed told us\n  that they have existing protocols and standards that provide\n  privacy protection. For example, detention standards include the\n  security of detainee records handled by nearly 8,000 Detention and\n  Removal Operations personnel across 24 field offices, 161 subfield\n  offices, and 22 detention service centers. Yet, we identified\n  numerous instances during the 2-year period (2008 and 2009) of\n  employees failing to protect PII. For example:\n\n  \xe2\x80\xa2\t An ICE employee sent an unencrypted email containing PII to\n     a personal email account.\n  \xe2\x80\xa2\t Through inventory control, ICE discovered that a former ICE\n     agent had lost his laptop, on which unencrypted investigative\n     PII and physical security vulnerability reports were accessible.\n  \xe2\x80\xa2\t An unencrypted personal thumb drive containing PII of Student\n     Exchange Visitor Program exchange visitors was stolen from\n     an ICE employee attending a conference in India.\n  \xe2\x80\xa2\t Although an exiting ICE employee was debriefed, he left with\n     a CD with the PII of 6,000 ICE agents. This incident was\n     discovered by the new employing agency that found the PII\n     and contacted ICE.\n  \xe2\x80\xa2\t Detainee records have been shared with individuals who did\n     not have a need for this information, but these privacy\n     incidents were not reported.\n  \xe2\x80\xa2\t In a hotel, ICE agents lost paper PII of individuals under \n\n     investigation. \n\n  \xe2\x80\xa2\t Hundreds of paper PII records pertaining to ICE employees \n\n     were left in a laptop case that was sold at a government \n\n     auction. \n\n\n  The inability of employees to apply DHS rules of privacy conduct\n  to their jobs and operations places PII at risk. As supervisors,\n  program operations managers can promote an understanding of the\n  importance of privacy and help employees apply privacy rules to\n  the work setting. An additional layer of security results when job-\n  specific privacy procedures are embedded as shared attitudes,\n  values, goals, and practices in the workplace. When employees are\n  reminded of privacy implications and proper procedures for\n  handling PII, they may avoid causing privacy incidents.\n  Furthermore, by establishing an internal discipline for proper\n\n\n\nImmigration and Customs Enforcement Privacy Stewardship\n\n\n                        Page 8\n\n\x0c  handling of PII, program operations managers can instill and\n  improve the overall culture of privacy.\n  ICE Needs Job-Related Privacy Training to Comply With\n  Requirements\n\n  OMB M-07-16 requires job-specific privacy training and\n  recommends that agencies augment training through creative\n  methods, job-specific communications, and advanced training to\n  promote and improve the employees\xe2\x80\x99 understanding of their\n  privacy responsibilities. Yet, fewer than 7% of survey respondents\n  reported receiving specialized or advanced privacy training.\n  Although the ICE Privacy Office provides initial and annual\n  privacy training, ICE employees need a better understanding of\n  how to integrate privacy protections into their daily work.\n\n  Figure 4 shows that 87% (273 of 315) of survey respondents\n  indicated that the available training and communication of privacy\n  requirements are too general to be effective for their program-level\n  application. Respondents recommended the following\n  improvements: (1) more frequent, innovative, job-specific training\n  (46%), (2) in-person training (30%), and (3) improved\n  communication of privacy requirements (11%). Only 13% (42 of\n  315) of respondents\xe2\x80\x94most of who do not handle PII\xe2\x80\x94indicated\n  that the present privacy training is acceptable.\n\n          Training Recommendations by Survey Respondents\n            ICE Privacy Culture Survey (N=315 respondents)\n\n\n\n                 13%                             More frequent, innovative, job-\n                                                 specific training: 46%\n\n\n         11%                                     In-person training: 30%\n                                         46%\n\n\n\n                                                 Improved communication of\n                                                 privacy requirements: 11%\n\n               30%\n                                                 No change to present training:\n                                                 13%\n\n  Figure 4. Training Recommendations by Survey Respondents\n  Source: OIG Analysis, ICE Culture of Privacy Survey.\n\n\n  ICE relies on computer-based privacy training to expand its reach\n  to almost 18,000 employees located in more than 400 offices\n  worldwide. Therefore, in-person training is limited. The ICE\n  Privacy Office is improving communications by meeting with\n\nImmigration and Customs Enforcement Privacy Stewardship\n\n\n                           Page 9\n\n\x0c  groups regarding privacy compliance. The FIPPs for privacy\n  accountability require managers and supervisors to provide\n  training that integrates privacy safeguards into the daily work of\n  employees and contactors who handle PII. However, program\n  operations managers, who can provide in-person privacy training,\n  coaching, and reminders, have not had the resources for\n  customizing operational procedures to include privacy protections.\n\n  Forty-six percent of survey respondents requested more frequent\n  and innovative job-specific privacy training. Program operations\n  managers who we interviewed have not had the administrative\n  support for implementing innovative or job-related privacy\n  training. If they do not have the appropriate type and level of\n  training and reinforcement of privacy protections, employees and\n  system users who collect, use, or maintain PII may be careless or\n  may not understand their responsibilities. The public\xe2\x80\x99s PII may be\n  exposed to unnecessary risks.\n\n  ICE Needs Adequate Enforcement of Penalties for Privacy\n  Rules of Conduct\n\n  ICE managers do not have specific penalties for privacy violations\n  that correspond with the DHS privacy rules of conduct according\n  to the DHS Privacy Office Handbook for Safeguarding Sensitive\n  Personally Identifiable Information. The need for specificity in the\n  existing ICE Table of Offenses and Penalties causes inadequate\n  enforcement of penalties for privacy violations. In 2008 and 2009,\n  managers enforced penalties for 31% (19 of 61) of all reported\n  privacy violations.\n\n  In October 2008, the ICE Privacy Office recommended inclusion\n  of privacy conduct into the existing rules of security behavior and\n  changes to the ICE Table of Offenses and Penalties as an efficient\n  way to enforce employees\xe2\x80\x99 privacy obligations. At present, the\n  agency and union reviews have not been completed.\n\n  Information-Sharing Access Agreements Do Not Adequately\n  Address Privacy\n\n  ICE has information-sharing access agreements for exchanging\n  information when there is a need to share such information with\n  external agencies to carry out national security, immigration, law\n\n\n\n\nImmigration and Customs Enforcement Privacy Stewardship\n \n\n\n                        Page 10\n \n\n\x0c                             enforcement, or intelligence functions.7 DHS Information Sharing\n                             Coordinating Council developed a standardized process for the\n                             creation and approval of information-sharing access agreements\n                             that includes a privacy review. For example, the DHS Federal\n                             Information Sharing Environment Privacy and Civil Liberties\n                             Protection Policy requires that these agreements describe how the\n                             FIPPs have been implemented in the information-sharing\n                             environment.8 See appendix D for the eight FIPPs principles.\n\n                             None of the 11 information-sharing access agreements that ICE\n                             provided to us implemented all of the eight FIPPs. Figure 5\n                             illustrates the incompleteness and inconsistencies of these\n                             agreements, through which ICE shares large volumes of financial\n                             data and the public\xe2\x80\x99s PII. See appendix F for details on the\n                             systems\xe2\x80\x99 information sharing.\n\n                                  System Names              BMIS Web SEVIS I       DARTTS ICEGangs\n                                 Fair Information                 Did Information-Sharing Access\n                                Practice Principles               Agreements Address the FIPPs?\n                              Security                        Yes         Yes        Yes         Yes\n                              Use Limitation                   Yes        No          Yes         Yes\n                              Purpose Specification             No        Yes         Yes         No\n                              Accountability and\n                                                                No        No          Yes         No\n                              Auditing (incl. Training)\n                              Transparency                      No        No          Yes         No\n                              Data Minimization                 No        No          No          Yes\n                              Data Quality and Integrity        No        No          No          Yes\n                              Individual Participation          No        No          N/A         N/A\n                             Figure 5. Privacy Integration in Information-Sharing Access Agreements\n                             Source: 11 ICE information-sharing access agreements.\n\n\n                             According to the DHS Information Sharing Access Agreements\n                             Methodology Guidebook, component program operations\n                             managers are responsible for working with their privacy\n                             representatives to draft new information-sharing access agreements\n                             and update legacy agreements. As ICE\xe2\x80\x99s privacy representative,\n                             the ICE privacy officer is best situated to identify the privacy\n                             issues related to ICE\xe2\x80\x99s mission and understand how best to\n                             implement DHS privacy policies.\n\n                             Based on our review of nine agreements, ICE managers have not\n                             followed the Information Sharing Coordinating Council\xe2\x80\x99s\n                             methodology or DHS privacy policies. There is no indication that\n\n7\n  An information-sharing access agreement is any memorandum of understanding, memorandum of agreement, letter of \n\nunderstanding, letter of agreement, or any form of agreement that is used to facilitate the exchange of information\n \n\nbetween two or more parties. \n\n8\n  The information-sharing environment is an approach that facilitates the sharing of terrorism information. \n\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                         Page 11\n \n\n\x0c     the ICE Privacy Office or a privacy representative was involved in\n     the development of these agreements. In addition, there are\n     omissions in addressing privacy considerations when sharing\n     information. Consistently implementing the FIPPs through these\n     agreements would ensure that sharing agencies have agreed to\n     comply with protocols for handling PII, data quality needed for the\n     specified use, reliability of data sources, data security, and\n     minimizing data sharing to the amount necessary to meet the\n     purpose of the agreement.\n\n     In addition, legacy agreements have not been updated to reflect\n     current DHS guidance. Therefore, both legacy and newer\n     agreements have omissions in addressing privacy considerations.\n     Without a standardized process at the component-level to ensure\n     that all PII information sharing has a privacy review prior to\n     drafting agreements, mistakes, misunderstandings, data misuse,\n     and incidents can occur.\n\nRecommendations\n     We recommend that the Assistant Secretary of ICE:\n\n     Recommendation #1: Direct program operational managers to\n     develop and implement privacy procedures and job-related privacy\n     training to safeguard PII in program operations.\n\n     Recommendation #2: Establish penalties for violations that\n     correspond with DHS privacy rules of conduct.\n\n     Recommendation #3: Establish a standardized process that\n     includes the ICE Privacy Office for the review and approval of\n     information-sharing access agreements that involve PII.\n\nManagement Comments and OIG Analysis\n     We obtained written comments on a draft of this report from the\n     Assistant Secretary of ICE. We have included a copy of the\n     comments in appendix B.\n\n     ICE concurred with our findings and recommendations.\n     Concerning recommendation #1, ICE is taking steps to provide\n     training on supervisory roles to support privacy awareness and\n     compliance. We consider recommendation #1 open, pending our\n     review of the finalized course documentation and training schedule\n     by ICE.\n\n\n   Immigration and Customs Enforcement Privacy Stewardship\n\n\n                           Page 12\n\n\x0c  ICE concurs with recommendation #2. ICE indicated it plans to\n  adopt the DHS "PII Acknowledgement and Agreement" form that\n  identifies penalties for violations of privacy rules of conduct.\n  Also, ICE is considering amendments to the ICE Table of Offenses\n  and Penalties. We consider recommendation #2 open, pending our\n  review of ICE\'s adoption of the "PII Acknowledgement and\n  Agreement" form and other actions.\n\n  ICE concurs with recommendation #3. According to ICE, it\n  follows the DHS process for the review and approval of\n  information sharing access agreements that involve PII. ICE also\n  stated that the agreements reviewed by the OIG for the audit are\n  older agreements drafted prior to the creation of the ISCC\n  standards and prior to the existence of the ICE Privacy Office. As\n  clarification, our review included both older agreements and\n  agreements drafted after the establishment of the ISCC standards\n  and ICE Privacy Office. We consider recommendation #3 open,\n  pending our review of documentation that defines the process for\n  engagement and the role of the ICE Privacy Office for component\n  level review and approval of all ICE information sharing access\n  agreements.\n\n\n\n\nImmigration and Customs Enforcement Privacy Stewardship\n \n\n\n                        Page 13\n \n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n                   Our objective was to determine whether ICE\xe2\x80\x99s plans and activities\n                   instill and promote a culture of privacy and whether ICE complies\n                   with federal privacy laws and regulations. As background for this\n                   audit, we researched and reviewed federal guidance and laws\n                   related to ICE\xe2\x80\x99s responsibilities for privacy protections. We\n                   reviewed testimonies, ICE documentation, and reports related to\n                   ICE\xe2\x80\x99s privacy, information technology security, and program\n                   management.\n                   We interviewed officials from the DHS Privacy Office and\n                   discussed its implementation of the DHS Privacy Framework and\n                   duties of component privacy officers. In addition to interviewing\n                   ICE\xe2\x80\x99s Privacy Officer and Chief Information Security Officer, we\n                   interviewed more than 70 program managers and information\n                   system security professionals at ICE headquarters and field sites.\n                   We emailed a survey to the ICE workforce to obtain their\n                   recommendations for improving their understanding of privacy and\n                   for an indication of their privacy knowledge. Four hundred and\n                   seventy of the 1,274 respondents offered written comments on the\n                   status, issues, suggestions, or challenges in ICE privacy\n                   stewardship. (See appendix G.)\n                   We selected a sample of 8 systems from a total of 37 systems that\n                   handle personally identifiable information. For this sample, we\n                   reviewed technical information, system security documentation,\n                   architectures, financial justifications, privacy impact assessments,\n                   SORNs, application of the Fair Information Practice Principles, and\n                   ICE and program-level application of federal and DHS privacy laws\n                   and guidance.\n                   Our analysis is based on direct observation, review of applicable\n                   documentation, and interviews. We conducted this performance\n                   audit between August 2009 and May 2010 in accordance with\n                   generally accepted government auditing standards. The standards\n                   require that we plan and perform the audit to obtain sufficient,\n                   appropriate evidence to provide a reasonable basis for our findings\n                   and conclusions based on our audit objectives. We believe that the\n                   evidence obtained provides a reasonable basis for our findings and\n                   conclusions based on our audit objectives.\n                   The principal OIG points of contact for the audit are Frank Deffer,\n                   Assistant Inspector General for Information Technology Audits at\n                   (202) 254-4041, and Marj Leaming, Director, System Privacy\n                   Division at (202) 254-4172. Major OIG contributors to the audit\n                   are identified in appendix H.\n\n\n                 Immigration and Customs Enforcement Privacy Stewardship\n\n\n                                         Page 14\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n                                                                                       ,....   __ . ,,_\n                                                                                       >OlL"\' ......., \'..\xc2\xb7\n                                                                                       "\'_LIC ""..\n                                                                                                                     .........,\n\n                                                                                       u.s. immigration\n                                                                                       and CIISlOms\n                                                                                       Enforcement\n\n\n\n\n        MEMORA"Dl\'M FOIl.: F\'an\'Deff"\n                                       Aui."""       1~,,,,,-1(H (j"",,,l (~lr.lormH\'ioc.T,,,,.m,IO\\I;\xc2\xb7       f.lId\'t!\n                                       Oflkoof In~ \'-\'<;"\'~\n\n        .-\'[(oM:                       M...\'"N.F"..      \'<f)~~\n                                       Oepu,y Chl<rFol.:.(l<I.1 Ofr"..        (""in~)\n                                       t.s.      Inl""~""i,.,   ..>.ll\'1l\xc2\xabQ"" 1\',1"""",,,",\n\n        SI:BJECT:                      Con,"O(," \'" ():(i D("f, ~<f<"\' "I("I\' ~<i".,y S"\'\'\'\'ml\'hlp . .-\\\'tNi M,)\'\n                                       2~1O\n\n\n        U.S. I"",i~,"\'i,", .,,1  C\'\'\'\'\'\'\',,,,,\n                                         r~,rO"\'<"""L (Telo,           ,po;:\xc2\xab."i"\'",\n                                                                            L1>.: :>pportcni\'y Lo CO<llIll<tl, on\n        th< dian   "\'po". I~ IO\'?,,"" to OIr]\'o ""\'\'\'\'\'\'\'\'\'\'\'\'\'t\'m, "" ",",ion oy IC~;\n\n        RK<lm""ndal\'." II I: llire<\' ,,.,...,,,,, "",,.,,,,,,,1 "\'\'\'"\'\'.\'\'\' 10 <ie"<Iop "11<1 irrpl.\'m:r.l "\';\',,,,\'\n        ~~..."" and jeb-,e[,\'N ~~"~,y ",1<\':"1 ,,, "\'f<8\',"d PII In p",sn,m op_\xc2\xb7",,;"n..\n\n\n        ~"I"""<\xc2\xbb I: ICE       <"\'><"".     ICE hao aJ,,->d,\' i\'U""~""H"d \'-\'<>ic I" i".., " \xe2\x80\xa2. "i,,~ Ii. ,,]1\n        "\'\'I\'\'"y\'"\'\' ""~ ,,,," ..~I " L",inin~ pI,n I,... will dcliv.\'f thruLliih "arl,", mom. "",doli",,,\n        p,i\\\'>cy ".i"",~ ".1 &"I,bn;< ,.. \xc2\xabnpJuleo> ",,,..,I OIl Ihcir ""~",,"<l ",k>. ""Ii,. . Md\n        """,,"\'hili\';", I" >d<li,;\'-\'n. 1;;1: "ill,,,", i.\'pJ<n""" p<im,y \'e\'i",n! k>r ICE """\'\'\'\'\'\'\'\'os loo\'\n        will Male them .wa", of\'hd, oblif>..... ,", \'"I""";"\'" \'" <><,~"\'~ "",I I,"~I",,"\'" p,i"\'\'\'r\n        pro"""i",,, i" ,.-0<"\'""\'\'\'\'   .nJ ,><>Ii,;"" ~ov\'\'\'\';n~ """\' I""~nun .,"\'~.\n\n\n\n        It<<Q,,,o,o,,d.,l." .2, I\':,,>hli<h P\'",rt",s fOf .i.,bt",,,, I"\'" c"""\'P\'J:.1 w;Ih IJHS "\';\'\'\'\'l\' ,,,I,,\n        ofwndoc\'-\n\n         R"p\'." ~ 2, ICE CO""",.. The OilS Pri"",y O,li" "",,",.ned p,I,\'\'\'\'y ",I<" of <oM"" in 10,\n        "\'\'\'\'\'ibwlf\'\'\' .\'i<</,X\'",,\xc2\xb7</inK S<-,,,il,,\xc2\xb7c l\'m",.,liy Mcn<.\'/i.bi<- b~~".I",,- Rc~""\'i"ll\n        ",n,..\'l\'~"\'\'\'\'. Ill, 00, f<i"",y om", in \'0"\'" it\'li"" with LIl<: Chi,fl{um"" C.p.ta. Ott\\co\n        ICIICOI """ orr"" of (;,11\xc2\xab" COO""" (OGCJ \'kv\'h.,?,"<l \xe2\x80\xa2 -~II A,lmowl\'d;:Cm<n\' aM\n        ,\\grc<mruf\' form tI", id<nt,fL" p<.","i" for "\';;,I"i",,, "ftlle ,111" 111" Ii",,, i, curTen,ly ",01"\n        \xe2\x80\xa2 ,iN! ,"vl<w by CHCO. am OCC iIllU will I>c impl<:m<:.. <d "\' p:m of \\h<: C"lt"\'" oll\'ri,\'3<\'\n        Aw,"",,,, \'"I",,>! "",,\'" \'"\' IJIISco..-"". I" ,.I.~\'.)ft. Ie!, \',<"","d\xc2\xab\',"_ " ",,,I,,,,nt< \'0 tl,..\n        ICE T.01< ofOtl<n.... \'Old i\'en,I,i.. "".. "\'ill <;\',ify <>\'1>1;"-, <\'<~"~i",,. of,\' I",on\' \'0\n        """"""\'00 whh the lIand\'-,. I\'" "\'-\'f\'Sum-Ji"\xe2\x80\xa2.""mWw fm"""ily /,!<n\'ifi"b1, Info\'\'\'\'\'\'Ii"n,\n\n\n\n\n                        Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                                Page 15\n \n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n                                                                           Office of/1M! ChiefHnoncial OfflCtr\n\n                                                                           U.S. Ilr(lartmtnt or lIomrlam.l S\xc2\xaburil,\'\n                                                                           500 12110 Stm:t. SW\n                                                                           Washington. DC 20536\n\n\n                                                                           u.s. Immigration\n                                                                           and Customs\n                                                                           Enforcement\n\n\n        ICE rcqucsts this recommendation be considercd rcsolvcd and open.\n\n        RecollllUend~,tion #3: Establish a standardizcd proccss that includes thc ICE Privacy Ollice for\n        the rcvicw and approval of infomlation-sharing acccss agrccmcnts that involve PII.\n\n        Response # 3: ICE concurs. DI-IS has a standardized process that already exists and is being\n        implcmcntcd by ICE that requires the participation ofthc Privacy Office in the review and\n        approval of ICE infonnation sharing acccss agrccmcnts (ISAl\\s) that involve PH. The OHS\n        lnfonnation Sharing Coordinalion Council (ISCC) In/ormation Sharing and Access Agreemelll\n        Melhodology Guidebook (February 2008) requires the participation of a privacy representative in\n        the ISAA drafting process (see p.6). The ISI\\A Qucstionnairc, which is intcnded to collcct the\n        information needed to form an ISAI\\, also requires the participation of the privacy rcpresentative\n        in answering ccrtain qucstions (see p.6, Appendix 1\\). The agrecmcnts rcvicwed by the OIG for\n        Ihis audit are older agreemcnts drafted prior to thc crcation of the ISCC standards and prior to the\n        cxistcnce oflhc ICE Privacy Office.\n\n        ICE requests this rccommendation be considered resolvcd and closed.\n\n        Should you havc questions or conccrns, plcasc contact Michacl Moy, 010 Portfolio Manager, at\n        (202) 732-6263, or by c-mail at MichacI.Moy@dhs.gov.\n\n\n\n\n                      Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                     Page 16\n \n\n\x0cAppendix C\nLegislation, Memorandums, Directives, and Guidance\nRelated to ICE Privacy Stewardship Audit\n                                                    LEGISLATION\nPrivacy Act of 1974, 5 U.S.C. \xc2\xa7 552a (2004). http://www.opm.gov/feddata/USC552a.txt\n\nE-Government Act of 2002, Public Law 107-347, 116 STAT. 2899 (2002).\nhttp://www.gpo.gov/fdsys/pkg/PLAW-107publ347/pdf/PLAW-107publ347.pdf\n\nImplementing Recommendations of the 9/11 Commission Act of 2007, Public Law 110-53, 121 Stat. 266, 360 (2007).\nhttp://www.nctc.gov/docs/ir-of-the-9-11-comm-act-of-2007.pdf\n\nThe Freedom of Information Act, 5 U.S.C. \xc2\xa7 552, Public Law 104-231, 110 Stat. 3048 (1996).\nhttp://www.justice.gov/oip/foia_updates/Vol_XVII_4/page2.htm\n\n                                       OMB CIRCULAR AND MEMORANDA\n\nOMB Circular A-130: Management of Federal Information Resources, November 28, 2000.\nhttp://www.whitehouse.gov/omb/assets/omb/circulars/a130/a130trans4.pdf\n\nOMB M-09-29: FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy\nManagement (August 20, 2009). http://www.whitehouse.gov/omb/assets/memoranda_fy2009/m09-29.pdf\n\nOMB M-07-16: Safeguarding Against and Responding to the Breach of Personally Identifiable Information (May 22,\n2007). http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf\n\n                                           DIRECTIVES AND GUIDANCE\n\nDHS Memorandum: Designation of Component Privacy Officers (June 5, 2009). (No external link available)\n\nDHS Management Directive Number 0470.2: Privacy Act Compliance (October 6, 2005). (No external link available)\n\nPrivacy and Civil Liberties Policy Guidance Memorandum 2009-01: The Department of Homeland Security\xe2\x80\x99s Federal\nInformation Sharing Environment Privacy and Civil Liberties Protection Policy (June 5, 2009).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_crcl_guidance_ise_2009-01.pdf\n\nPrivacy Policy Guidance Memorandum Number 2008-01: The Fair Information Practice Principles: Framework for\nPrivacy Policy at the Department of Homeland Security (December 29, 2008).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf\n\nPrivacy Policy Guidance Memorandum Number 2007-01: DHS Privacy Policy Regarding Collection, Use, Retention,\nand Dissemination of Information on Non-U.S. Persons (January 7, 2009).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2007-1.pdf\n\nDHS Privacy Office: Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of\nHomeland Security (October 31, 2008). http://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_spii_handbook.pdf\n\nDHS Privacy Office: Privacy Incident Handling Guidance (September 10, 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_guide_pihg.pdf\n\nDHS Privacy Office: Privacy Impact Assessments Official Guidance (May 2007).\nhttp://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_guidance_may2007.pdf\n\nDHS 4300A: Sensitive Systems Handbook Version 7.1 (November 13, 2009). (No External Link Available)\n\n\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                      Page 17\n \n\n\x0cAppendix D\nThe Fair Information Practice Principles\n\nThe DHS Privacy Office, Privacy Policy Guidance Memorandum Number 2008-01,\nDecember 29, 2008, adopted the Fair Information Practice Principles as its privacy\npolicy framework for application by DHS programs and activities.\n\n                    EIGHT FAIR INFORMATION PRACTICE PRINCIPLES\n\nTransparency: DHS should be transparent and provide notice to the individual regarding its\ncollection, use, dissemination, and maintenance of personally identifiable information (PII).\n\n\nIndividual Participation: DHS should involve the individual in the process of using PII and, to\nthe extent practicable, seek individual consent for the collection, use, dissemination, and\nmaintenance of PII. DHS should also provide mechanisms for appropriate access, correction,\nand redress regarding DHS use of PII.\n\n\nPurpose Specification: DHS should specifically articulate the authority that permits the\ncollection of PII and specifically articulate the purpose or purposes for which the PII is intended\nto be used.\n\n\nData Minimization: DHS should collect only PII that is directly relevant and necessary to\naccomplish the specified purpose(s) and retain PII only for as long as is necessary to fulfill the\nspecified purpose(s).\n\n\nUse Limitation: DHS should use PII solely for the purpose(s) specified in the notice. Sharing\nPII outside the department should be for a purpose compatible with the purpose for which the\nPII was collected.\n\n\nData Quality and Integrity: DHS should, to the extent practicable, ensure that PII is accurate,\nrelevant, timely, and complete.\n\n\nSecurity: DHS should protect PII (in all media) through appropriate security safeguards against\nrisks such as loss, unauthorized access or use, destruction, modification, or unintended or\ninappropriate disclosure.\n\n\nAccountability and Auditing: DHS should be accountable for complying with these principles,\nproviding training to all employees and contractors who use PII, and auditing the actual use of\nPII to demonstrate compliance with these principles and all applicable privacy protection\nrequirements.\n\n\n\n\n                      Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                              Page 18\n \n\n\x0cAppendix E\nComponent-Level Privacy Office Designation and Duties\n\n\n                      COMPONENTS TO DESIGNATE PRIVACY OFFICERS\n\n            \xc2\x83    U.S. Immigration and Customs Enforcement\n            \xc2\x83    Federal Emergency Management Agency\n            \xc2\x83    National Protection and Programs Directorate\n            \xc2\x83    Office of Intelligence and Analysis\n            \xc2\x83    Science and Technology Directorate\n            \xc2\x83    Transportation Security Administration\n            \xc2\x83    U.S. Citizenship and Immigration Services\n            \xc2\x83    United States Coast Guard\n            \xc2\x83    U.S. Customs and Border Protection\n            \xc2\x83    United States Secret Service\n\n                             COMPONENT PRIVACY OFFICER DUTIES\n\n\n        Communicate the component privacy initiatives, both internally and externally.\n\n\n        Implement and monitor privacy training for employees and contractors.\n\n\n        Provide privacy information to the DHS Privacy Office for quarterly Federal\n        Information Security Management Act reporting, Section 803 of the Implementing\n        Recommendations of the 9/11 Commission Act reporting, the DHS Privacy Office\n        Annual Report, and other reporting requirements as needed.\n\n        Serve as the point of contact to handle privacy incident response responsibilities\n        as defined in the Privacy Incident Handling Guidance.\n\n        Assist in drafting and reviewing Privacy Threshold Assessments, Privacy Impact\n        Assessments (PIAs), and Systems of Records Notices (SORNs), as well as any\n        associated privacy compliance documentation.\n\n        Monitor component\xe2\x80\x99s compliance with all federal privacy laws and regulations;\n        implementing corrective, remedial, and preventative actions; and notifying the\n        DHS Privacy Office of privacy issues or noncompliance when necessary.\nSource: DHS Memorandum, Designation of Component Privacy Officers, June 5, 2009.\n\n\n\n\n                         Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                   Page 19\n \n\n\x0c            Appendix F\n            Selected Systems: PII Collected, Privacy Impact Assessments, System of Records\n            Notices, and Information Sharing\n\n                                                         Privacy Impact       System of\n          System Name and PII Collected                                                                        Information Sharing\n                                                          Assessment        Records Notice\n                 Operational Systems\nData Analysis and Research for Trade                     Data Analysis      Trade              DARTTS shares information with law enforcement\nTransparency System (DARTTS) collects contact            and Research for   Transparency       entities for investigatory purposes and with other\ninformation about U.S. and foreign importers,            Trade              Analysis and       federal, state, local, and foreign agencies.\nexporters, brokers, and consignees; identification       Transparency       Research (TTAR)    DARTTS shares its reports on trade anomalies\nnumbers for importers, exporters, and brokers; and       System             October 31, 2008   with other DHS components for law enforcement\nU.S. financial data that includes Social Security and    (DARTTS)                              purposes. DARTTS uses trade data provided by\ntax identification numbers, bank account                 October 20,                           federal agencies, foreign governments, and\ninformation, and passport information.                   2008, Updated                         financial data collected by Customs and Border\n                                                         April 26, 2010                        Protection and the Department of Treasury\n                                                                                               Financial Crimes Enforcement Network.\nBond Management Information System Web                   Bond               Bonds              BMIS Web shares information, as needed, with the\nVersion (BMIS Web) collects information about            Management         Management         Internal Revenue Service and the Department of\nbonded aliens, individuals posting the bond              Information        Information        Justice regarding interest paid to obligors,\n(obligors), surety companies or bonding agencies,        System Web         System (BMIS)      collections on monies owed on a bond, and\nand bond information such as amount, bond                Version (BMIS      September 11,      investigations of a surety bonding agent/agency of\nnumber, or date posted.                                  Web) August 25,    2008               financial stability, licensing, or business practices.\n                                                         2008, Updated\n                                                         November 20,\n                                                         2009\nElectronic Bonds (eBONDS) will collect                   Electronic         Bonds              eBONDS shares information with the surety\ninformation such as an alien\xe2\x80\x99s name, A-number,           BONDS July 14,     Management         agents that have requested bond for an alien.\nbondable status, and detention location; the bond        2009               Information        eBONDS provides alien information to notify surety\nrequester\xe2\x80\x99s name and address; surety agent\xe2\x80\x99s                                System (BMIS)      agents that an alien is eligible for a bond and to\nname, username, and password; and surety                                    September 11,      facilitate the creation of the bond documentation\ncompany\xe2\x80\x99s name, address, email address, and                                 2008               package by the surety agent.\nphone number.\nStudent and Exchange Visitor Information                 Student and        Student and        SEVIS I shares information with certified schools,\nSystem (SEVIS I) collects information about              Exchange Visitor   Exchange Visitor   designated sponsors, and exchange visitors.\ncertified schools, designated sponsors, foreign          Information        Information        SEVIS I exchanges data with DHS components\nstudents or exchange visitors, and their dependents      System February    System March       and other federal agencies such as the\nduring their stays in the United States.                 5, 2005            22, 2005           Department of State and Department of Justice.\n                                                         (out of date)      (out of date)\nNational Child Victim Identification System              National Child     NCVIS is not a     NCVIS shares information with state, local, and\n(NCVIS) is a repository of 164,000 child victim          Victim             system of          tribal government and federal law enforcement\nimages. Agents use the images as an aid for              Identification     records. A         agencies when these agencies submit an\ninternational law enforcement activities against child   System (NCVIS)     SORN is not        unconfirmed image to the ICE Cyber Crime Center\nexploitation crimes.                                     August 21, 2009    required.          to request a match. The images are never shared\n                                                                                               with non-law enforcement entities.\nICEGangs collects information about gang                 ICEGangs         Intelligence         ICEGangs is a database that shares information\nmembers or associates directly from individuals          Database         Records System       regarding gangs, gang members, and gang\nduring normal law enforcement investigative              January 15, 2009 (IIRS) December      associates when there is a need for this\nactivities such as arrests, field interviews with an                      9, 2008, 73 FR       information by state, local, and tribal government\ninformant, or by reviewing evidence.                                      74735                and federal law enforcement agencies, as well as\n                                                                                               DHS components such as Customs and Border\n                                                                                               Protection.\n             Non-Operational Systems\nStudent and Exchange Visitor Information                 Student            Student and        Not available\nSystem (SEVIS II) will collect the same information      Exchange Visitor   Exchange Visitor\nas SEVIS I.                                              Information        Information\n                                                         System II          System January\n                                                         December 4,        5, 2010\n                                                         2009\nData Analysis and Research for Trade                   See DARTTS         See DARTTS         Not available\nTransparency System (DARTTS) Enterprise will\ncollect the same information as DARTTS.\n             Source: The DHS Privacy Office has ICE Privacy Impact Assessments and System of Records Notices at\n             http://www.dhs.gov/xabout/structure/editorial_0338.shtm (accessed January 21, 2010).\n\n\n\n\n                                          Immigration and Customs Enforcement Privacy Stewardship\n\n                                                                      Page 20\n\x0cAppendix G\nICE Culture of Privacy Survey\n\nOIG developed a privacy questionnaire with involvement of the ICE Privacy Office. The\npurpose of the survey was to obtain employees\xe2\x80\x99 recommendations for improvements in\nunderstanding privacy.\n\nIn October 2009, the OIG emailed the ICE workforce a link to a secure site to complete\nan online privacy questionnaire. Participation was voluntary, confidential, and accessible\nonly by the OIG. The results of the survey provided insights into areas in which\nimprovements are needed. The following figure provides the levels of job responsibility,\nlocation, and lengths of services for respondents who either completed the survey or\nprovided selected responses.\n\n                          Demographics Of Participants Of ICE Culture Survey\n    Level of Job Responsibility                        Location                      Length of Service\nEntry-level employees (15.9%)                                                    Less than 3 months (4.2%)\n                                             Headquarters (21.6%)\nMid- to high-level (nonmanager)                                                    3\xe2\x80\x9312 months (11.5%)\n                                             Field offices (68.5%)\n      employees (64.4%)                                                              1\xe2\x80\x933 years (22.6%)\n                                                 Other (9.9%)\nSupervisors/managers (19.7%)                                                     More than 3 years (61.7%)\nSource: OIG Analysis, ICE Culture of Privacy Survey.\n\n\nOf the 1,274 respondents, 53.6% (683) completed the survey, 23.6% (300) provided\nselected responses, and 22.8% (291) initiated the survey but did not provide further\nresponse. The completed survey response rate was 3.8% (683 of 17,795).9\n\nThe following figure shows our grouping of 470 written comments by survey\nrespondents. There are five key themes: privacy awareness and training (67%), internal\nprivacy communications (14%), privacy accountability (8%), privacy culture (6%), and\nunderstanding policy (5%). The report provides a more detailed analysis regarding\nimprovements in privacy awareness and training.\n\n                   Key Themes of Written Comments\n                ICE Culture Survey (N=470 respondents)\n\n\n                          5%\n                     8%\n                                                  Awareness/Training: 67%\n                6%\n                                                  Internal Communication: 14%\n                                                  Privacy Culture: 6%\n             14%\n                                                  Privacy Accountability: 8%\n                                      67%         Understanding Policy: 5%\n\n\n\n\nSource: OIG Analysis, ICE Culture of Privacy Survey.\n\n\n9\n Throughout the report, we used the FY 2008 training base population provided to us by the ICE Office of Training\nand Development.\n\n\n                          Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                                         Page 21\n \n\n\x0cAppendix H\nMajor Contributors to this Report\n\n\n                    System Privacy Division\n\n                    Marj Leaming, Director\n                    Eun Suk Lee, Lead Privacy Auditor\n\n                    Hung Huynh, Privacy Specialist\n                    Cory Missimore, Privacy Specialist\n                    Kevin Mullinix, Management and Program Assistant\n\n                    Amanda Strickler, Referencer\n\n\n\n\n                  Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                          Page 22\n \n\n\x0cAppendix I\nReport Distribution\n\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Policy\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Assistant Secretary for Office of Public Affairs\n                      Assistant Secretary for Office of Legislative Affairs\n                      Assistant Secretary for Immigration and Customs Enforcement\n                      DHS Privacy Office\n                      ICE Audit Liaison Office\n                      ICE Privacy Office\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n                  Immigration and Customs Enforcement Privacy Stewardship\n \n\n\n                                          Page 23\n \n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'